In complex and generally large scale systems and organizations such as corporate Information Technology (IT) infrastructures for example, there exist potential impacts to the security of the system. Such security vulnerabilities, even if they can be discovered and defined in a meaningful way, are typically difficult and costly to assess. This can be because of the number and nature of the vulnerabilities for example, as well as the number of assets present in such large systems, all of which can have an impact on potential solutions which vary greatly.
A security operations team in a typical organisation has a number of security controls at its disposal, such as patching, antivirus, client side firewalls, and so on, that together minimise the exposure of the organisation's systems to risks or vulnerabilities. However, it is notoriously difficult to evaluate how effective these security mechanisms are at protecting an organisation, and even harder to estimate the impact of a change in a security mechanism investment choice or a change in policy. Examination of historical data gives partial answers. For example, it is typically possible to track how long the deployment of a particular patch takes, but without the context of an external threat environment, the historical data cannot help determine if systems were left exposed for too long, thus yielding unacceptable risk.